Logstash date filter error

yugeeklab · July 21, 2022, 10:24am

 filter {
     if "client" in [tags] {
          grok {
            match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} MysqlClient:SYSTEM_USER:%{QS:mysql_client.system_user}, MYSQL_USER:%{QS:mysql_client.mysql_user}, CONNECTION_ID:%{NUMBER:mysql_client.connection_id}, DB_SERVER:%{QS:mysql_client.db_server}, DB:%{QS:mysql_client.db}, QUERY:%{QS:mysql_client.query}" 
                             }
          }
          date {
            match => ["timestamp", "yyyy-MM-dd hh:mm:ss.SSS"]
            target => "after_timestamp"
            timezone => "Asia/Seoul"
            add_tag => ["date"]
          }
     }
}

result

{
"mysql_client.query" => "'t;'",
"@timestamp" => 2022-07-21T10:08:14.192Z,
"mysql_client.db_server" => "'--'",
"tags" => [
[0] "client",
[1] "beats_input_codec_plain_applied",
[2] "_dateparsefailure"
],
"timestamp" => "2022-07-21 19:08:07.8218",
"mysql_client.db" => "'--'",
"message" => "2022-07-21 19:08:07.8218 MysqlClient:SYSTEM_USER:'deploy', MYSQL_USER:'root', CONNECTION_ID:19, DB_SERVER:'--', DB:'--', QUERY:'t;'",
"ecs" => {
"version" => "1.6.0"
},
"mysql_client.mysql_user" => "'root'",
"mysql_client.connection_id" => "19",
"@version" => "1",
...
}

Can you find the wrong point?

Badger · July 21, 2022, 12:48pm

SSS will not match 8218. Try "yyyy-MM-dd hh:mm:ss.SSSS"

system · August 18, 2022, 12:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.